Earlier this week infosec researcher Esteban Guillardoyunveiled details of an unpatched vulnerability for Oracle’s Java 7 software. This vulnerability is being actively exploited in the wild and has been implemented in various exploit toolkits such as Metasploit and BlackHole. Moreover, according to Guillardoy, exploits for this vulnerability are typically 100% reliable. This certainly got my attention, because from my experience many vulnerabilities require specific configuration settings or a particular scenario in order to be reliably exploitable. So, this is a big deal especially given the fact that Java 7 is estimated to be installed on upwards of 1 billion devices.

To make matters worse, Oracle currently has no plans to patch the vulnerability until October 2012. And even once a patch is made available it will likely be years before a significant majority of devices get updated. That means this vulnerability will likely be a primary target of attacks for years to come. This vulnerability is most likely to be exploited remotely by a malicious website if the user’s browser is configured to run Java automatically. Because of this we can expect to see drive by infection of systems as users access malicious sites unintentionally, most likely from malicious iframes on compromised websites. Malicious banner ads are another likely source of infection.

Given that no patch is expected until October, the following remediation options are recommended: